Security of quantum key distribution protocols using two-way classical communication 

or weak coherent pulses 



Barbara Kraus 1 , Cyril Branciard 2 , and Renato Renncr 3 
1 Institute for Theoretical Physics, University of Innsbruck, Austria 
2 Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland 
3 Department of Applied Mathematics and Theoretical Physics, 
University of Cambridge, Cambridge CBS OWA, United Kingdom 
(Dated: February 1, 2008) 

We apply the techniques introduced in [Kraus et. al., Phys. Rev. Lett., 95, 080501, 2005] to prove 
security of quantum key distribution (QKD) schemes using two-way classical post-processing as well 
as QKD schemes based on weak coherent pulses instead of single-photon pulses. As a result, we 
obtain improved bounds on the secret-key rate of these schemes. 

PACS numbers: 03.67.Dd,03.67.-a 



I. INTRODUCTION 

A fundamental problem in cryptography is to enable 
two distant parties, traditionally called Alice and Bob, to 
communicate in absolute privacy, even in presence of an 
eavesdropper, Eve. It is a well known fact that a secret 
key, i.e., a randomly chosen bit string held by both Alice 
and Bob, but unknown to Eve, is sufficient to perform 
this task (one-time pad encryption). Thus, the problem 
of secret communication reduces to the problem of dis- 
tributing a secret key. 

Classical key distribution protocols are typically based 
on unproven computational assumptions, e.g., that the 
task of decomposing a large number into its prime fac- 
tors is intractable. In contrast to that, the security of 
quantum key distribution (QKD) protocols merely relies 
on the laws of physics, or, more specifically, quantum 
mechanics. This ultimate security is certainly one of the 
main reasons why so much theoretical and experimental 
effort is undertaken towards the implementation of secure 
QKD protocols 0,0. 

Typically [32, in the first step of a QKD protocol, Al- 
ice chooses a random bit string and encodes each bit into 
the state of a quantum system, which she then sends to 
Bob (using a quantum channel). Bob applies a certain 
measurement on the received quantum system to decode 
the bit value. In a second step, called sifting, Alice and 
Bob publicly exchange some information about the en- 
coding and decoding of each of the bits which allows them 
to discard bit pairs which are not (or only weakly) cor- 
related. 

After this sifting process, Alice and Bob hold a pair 
of classical correlated bitstrings, in the following called 
raw key pair. Alice and Bob can determine the quality 
of the raw key pair by comparing the values of some ran- 
domly chosen bit pairs (using an authenticated classical 
communication channel). This so-called parameter esti- 
mation gives an estimate for the quantum bit error rate 
(QBER), i.e., the ratio of positions for which the values 
of the bits held by Alice and Bob do not coincide. A 
fundamental principle of QKD is that this error rate also 



imposes a bound on the amount of information an adver- 
sary can have on the raw key: The smaller the QBER, 
the more secret key bits can be extracted from the raw 
key. If the QBER is above a certain threshold, then no 
secret key can be generated at all, and Alice and Bob 
have to abort the protocol |33|. 

The purpose of the remaining part of the protocol, 
called classical post-processing, is to transform the raw 
key pair into a pair of identical and secret keys. In this ar- 
ticle, we consider classical post-processing which consists 
of the following three subprotocols: (i) local randomiza- 
tion (also called pre-processing), where Alice randomly 
flips each of her bits with some given probability q, (ii) er- 
ror correction, where Alice and Bob equalize their strings, 
and (iii) privacy amplification, where Alice and Bob ap- 
ply some compression function to their bitstring with the 
aim to reduce Eve's information on the outcome. Steps 
(i)-(iii) described above only require (classical) one-way 
communication from Alice to Bob. However, in practical 
implementations, the error correction is sometimes done 
with two-way protocols (e.g., the cascade protocol |j|). 

In 0,0) a- n information-theoretic technique to analyze 
QKD protocols of the type described above has been pre- 
sented. In contrast to most previously known methods 
(e.g., p|), the technique does not require a transforma- 
tion of the key distillation protocol into an entanglement 
purification scheme, which makes it very general. It has 
been applied to prove the security of various schemes such 
as the BB84 the six-state, the B92, and the SARG pro- 
tocol 0, El 111 111 (see [S0 for an analysis of the first 
three protocols and [T]| for an analysis of the latter) . In 
particular, it has been shown that the local randomiza- 
tion, i.e., step (i) described above, increases the bounds 
on the maximum tolerated QBER by roughly 10-15 %. 

In this paper, we extend the technique of |g, L3 (Sec- 
tion [HJ and apply it to two classes of QKD protocols 
which have not been covered in H 0. The first (Sec- 
tion lllll) is the class of so-called two-way protocols. These 
use an additional subprotocol, called advantage distilla- 
tion, which is invoked between the parameter estimation 
and the classical post-processing step described above. 
In contrast to the classical post-processing considered in 
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[g, |jfl, advantage distillation uses two-way communica- 
tion between Alice and Bob. Second, we study protocols 
which use weak coherent pulses instead of single-photon 
pulses ( Section II V|) . For both scenarios, we show that 
local randomization increases the secret-key rates. 

II. INFORMATION-THEORETIC ANALYSIS OF 
QKD SCHEMES 

In this section we first review the results presented 
in 0,0 and then show then show how they can be 
generalized. Throughout this paper we use subscripts to 
indicate the subsystems on which a state is defined. Alice 
and Bob's quantum systems are labelled by A and B, 
respectively. Similarly, the classical values obtained by 
measuring their quantum systems are denoted by X and 
Y, respectively. Typically, we write pab, or p n , to denote 
the state of all the qubits held by Alice and Bob, whereas 
(tab is a two-qubit state. We will often consider two- 
qubit Bell-diagonal states, i.e., states that are diagonal in 
the Bell basis, = (|0, 0+i) + (-l) J |l, l+i))/V2. P| 4) 
denotes the projector onto the state |$). Furthermore, 
we denote by h(x) — —x\og 2 (x) — (1 — x) log 2 (l — x) the 
binary entropy function. 

A. Review of the technique 

The information-theoretic technique proposed in 0, 0] 
directly applies to a general class of quantum key dis- 
tribution protocols using one-way classical communica- 
tion. However, it is required that the protocol can be 
represented as a so-called entanglement-based scheme, as 
described below. 

Generally, a QKD protocol uses a set of so-called en- 
coding bases. We consider the special case where each 
basis j is defined by two states |$-) and \<j>)), which are 
used to encode the bit values and 1, respectively. In a 
prepare- and- measure scheme, Alice repeatedly chooses at 
random a bit i and a basis j, prepares the state 14%), and 
sends the state to Bob. Bob then measures the state in a 
randomly chosen basis k. This measuring process can be 
seen as some filtering operation B k = |O)(0f fe | + |l)(0o fe |, 

where \4>f k ) is some state orthogonal to \(j) k ), followed by 
a measurement in the computational basis. 

In an entanglement-based view, the above can equiv- 
alently be described as follows: Alice prepares the two- 
qubit states Aj\$oo), where | ^oo) denotes the Bell state 
1/V2(|0,0) + |1,1)) and A, is an encoding operator (for 
details see p) such that (i| A,-|$oo) = Wj)- She then 
sends the second qubit to Bob and prepares Bob's system 
at a distance by measuring her system in the computa- 
tional basis. Bob's measurement is described in the same 
way as in the prepare-and-measure scheme. 

Note that, in an experimental realization of a QKD 
protocol, one might prefer to implement a prepare-and- 
measure scheme. However, when analyzing the security 



of a protocol, it is usually more convenient to consider 
its entanglement-based version. 

As an illustration, consider the BB84 protocol, which 
uses the z-basis and the £-basis are used for the encoding. 
Using the above notation, we have |</>q) = \i z ) and \4>\) = 
\i x ), for i = 0, 1. Hence, the operators applied by Alice 
are Ag — 1 and Ai — H, where H denotes the Hadamard 
transformation. Because the bases are orthonormal, the 
same operators describe Bob's measurement as well. 

For the following, we assume that Alice and Bob apply 
a randomly chosen permutation to rearrange the order of 
their qubit pairs, in the following denoted by Vs, and, 
additionally, apply to each of the qubit pairs at random 
either the identity or the operation a x <g> a x . (Note that 
the symmetrization operations commute with the mea- 
surement and can therefore be applied to the classical bit 
strings). Then, as shown in 0, the state pab describing 
the iV qubit pairs shared by Alice and Bob can generally 
(after the most general attack by Eve, a so-called coher- 
ent attack) be considered to be of a simple form, namely 

PAB= £ V,-..^^^)®^®^®^)- 
m,.. .,n.4 

(1) 

The sum runs over all nonnegative n% , . . . , ni such that 
n>i + n2 + na + ri4 — N. The set of possible values of the 
coefficients A ni . n2! „ 3iri4 depends on the specific protocol 
and the parameters estimated by Alice and Bob (e.g., the 
QBER of the raw key). Furthermore, one can assume 
without loss of generality that Eve has a purification of 
this state, i.e., the situation is fully described by a pure 
state \^)abe such that pab = t T E{P\<Sf) ABE )- (However, 
as we shall see, dropping this assumption might lead to 
better estimates of the key rate.) After this distribution 
of quantum information Alice and Bob measure their sys- 
tems. Thus they are left with classical bit-strings. 

Consider now any situation where Alice and Bob have 
a classical pair of raw keys X n and Y n consisting of n bits 
whereas Eve controls a quantum system E. The secret- 
key rate, i.e., the rate at which secret key bits can be 
generated per bit of the raw key, for any one-way protocol 
(with communication from Alice to Bob), is given by 

r=limlim- sup S £ 2 (U n E n )-S e {E n )-m(U n \Y n ) . 

Here, S^,,H^ denote the smooth Renyi entropies (also 
called min- entropy if a = oo and max- entropy if a = 
0) |2l| . Moreover, the supremum runs over all classical 
values U n that can be computed from (the classical value) 
X n . 

For a QKD protocol as described above (where the dis- 
tributed state is of the form of Eq. (Q), formula @ can 
be lower bounded by an expression which only involves 
two-qubit systems. More precisely [g, 

r > sup inf S(U\E) - H{U\Y) , (3) 
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where Tq is the set of all two-qubit states gab (after the 
filtering operation) which can result from a collective at- 
tack |3j( and which are compatible with the parameters 
estimated by Alice and Bob (in particular, the QBER). 
Here, S and H denote the von Neumann entropy and 
its classical counterpart, the Shannon entropy, respec- 
tively. Moreover, X and Y denote the classical outcomes 
of measurements of o ab (on A and £>, respectively) in 
the computational basis, and E is any system that puri- 
fies o ab- Similarly to the above formula, the supremum 
runs over all mappings from X to U |35|. 

B. Local randomization 

The local randomization step described above has first 
been considered in 0, Q and later been improved in |l6| . 
In |17| , the local randomization is nicely explained in the 
context of entanglement purification. 

To get an intuition why the local randomization can 
help to increase the secret-key rate, it is useful to describe 
the process as a quantum operation (as in |17|). Let gab 
be the state of a qubit pair held by Alice and Bob and 
let Y$>)abe be a purification of gab- The state after 
Alice randomly flips her bit value A with probability q, 
can be described by \^)aa>be = \/l ~ q\^)abe\0)a' + 
y/qcTxl^ABEl^A', where A' is an auxiliary system on 
Alice's side. The measurement of system A gives the raw 
key. Note that \^)aa'BE results from the application 
of a controlled-not operation on system AA' , where sys- 
tem A' is prepared in the state yjl — q\0)A' + y/ql^A'- 
The randomization of Alice thus entangles her system to 
some auxiliary system (which is not under Eve's control). 
This, in turn, reduces the entanglement between Alice's 
relevant system (A) and Eve's systems (monogamy of en- 
tanglement), as Eve does not have a purification of the 
state on the systems A and B, since now she only has the 
purification of the state paa'b- Note that Bob's informa- 
tion on A is also reduces by the randomization process, 
but — for certain values of the parameter q — he is less pe- 
nalized than Eve. From this point of view, it can be 
easily understood that the local randomization can help 
to increase the secret-key rate. 



C. Comparison to known bounds 

For protocols based on qubit pairs, where the raw key 
pair is obtained by orthogonal measurements of Alice and 
Bob on some Bell-diagonal state <tab — J2i j 
(e.g., the BB84 or the six-state protocol), it follows 
from that the secret-key rate r (even without the 
local randomization) is bounded by 

r > 1 - S{<t A b) > 1 - h(e b ) - h(e p ) . 

Here, = Aio + An is the QBER and e p = Aoi + An 
the phase error rate, i.e., the probability that Alice and 



Bob get different bits when measuring in the z and the 
x-basis, respectively. Because the QBER and the phase 
error rate are not changed by applying at random a x 
or cr z , which make any state Bell diagonal, the bound 
l — h(eb) — h(e p ) holds for arbitrary states gab- Note that 
the above bound implies any of the lower bounds on the 
one-way secret-key rate derived in previous works 0, Il4| . 

D. Generalization of the lower bound 

Because we assume above that Eve controls a system 
that purifies the state pab held by Alice and Bob, the 
bound (jSJ) is fully determined by pab- However, this 
assumption on Eve might overestimate her possibilities, 
in which case the bound is not optimal. In the following 
we drop this assumption to derive better lower bounds 
on the secret-key rate. 

Suppose that the state distributed in an entanglement- 
based scheme is of the form V s ((D A b ® 1)^ (p° AB E )) , 
where Vs again denotes the map that randomly permutes 
the order of the qubit pairs, T>ab is some completely 
positive map on two-qubit states, and p\ BE is some tri- 
partite state. Then, it is an immediate consequence of 
Lemma A. 4 in that the bound 10 on the secret-key 
rate can be generalized to 

r > sup inf S(U\E) - H{U\Y) . (4) 

u<-x d A BEet Q 

Here, the infimum ranges over the set Tq of all states 
o'abe which can result from a collective attack and are 
compatible with the parameters estimated by Alice and 
Bob (e.g., the QBER). 

We refer to Appendix[U]for an application of this result 
to improve the analysis of the one-way SARG protocol 
for single-photon pulses. 

Consider now the general situation where the state de- 
scribing Alice, Bob, and Eve's system is the reduced den- 
sity operator of a state \^)aber = J2 n <^n\^n)ABE\n) R , 
where {\n}} forms an orthonormal basis of the Hilbcrt 
space of an auxiliary system R, i.e., none of the three 
parties has the auxiliary system at their disposal. Start- 
ing from 10} and using the concavity of the entropy, we 
find that the secret-key rate is bounded by 
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where S(U\E,n) = S(UE\n) - S(E\n), is the entropy of 
U conditioned on E and the event that the measurement 
of the auxiliary system R in the basis {\n}} yields n. 

One might also improve the bound using the following 
observation which has also been used to derive the bound 
given in Eq. @. Let us consider the situation where 
some auxiliary system is at Alice' and/or Bob's disposal, 
but not at Eve's (this could be for instance some addi- 
tional qubits). Suppose that the state shared by ABE 
and some auxiliary system R (which is not under Eve's 
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control) is given by \^)aber = J2 n a n\^n)ABE\n)R, 
where {\ri}} is an orthonormal basis of H.r, the 
Hilbert space corresponding to system R. The state 
\*)aber = En a n U n B \^n)ABE\n) R , with U£ B uni- 
tary operators diagonal in the z-basis leads to the 
same measurement outcome for any measurement 
by Alice and Bob in the computational basis as 
\^)aber, that is \k,l} AB (kJ\p A BE\kJ)AB(kJ\ = 
\kJ} A B(kJ\pABE\kJ)AB(kJ\, where p A BE = 
^r(P\v)ab B r) and Pabe = ^r(P\^) aber )- As- 
suming that Eve has a purification of the state pab 
can only provide her with more power compared to the 
situation where she has a purification of the state pabr, 
since this is equivalent to giving her the system R, which 
she could simply measure, leading to the same result as 
before (for details see also |(|). Thus, we can consider 
the situation where Alice and Bob share the state pab 
and Eve has a purification of it. This can only increase 
Eve's power. We will use this observation in Appendix 
B, in order to determine a good lower bound on the 
secret-key rate for a QKD protocol using the so-called 
XOR process. 



III. QKD PROTOCOLS WITH TWO-WAY 
POST-PROCESSING 

In the following, we will consider QKD protocols 
where, before the post-processing of the raw key as de- 
scribed above, Alice and Bob additionally invoke a so- 
called advantage-distillation subprotocol, which requires 
two-way communication between Alice and Bob. The no- 
tion of advantage distillation has first been investigated 
in the context of classical ke y ag reement [l8l | and later 
been generalized to QKD 0, |20| . 

The advantage distillation protocol we consider here 
has the following form: Alice publicly announces to Bob 
the position of a block of m bits which have all the same 
value (of course, she does not tell him which value). Then 
Bob tells Alice whether for the given position, his corre- 
sponding bits are all identical as well. If this is the case, 
they both continue using the first bit of the block as a 
new raw-key bit, otherwise they discard the whole block. 
We emphasize here that our analysis below works for any 
fixed value of the block size m (not only asymptotically 
for large m). This is important for realistic protocols, 
where m is usually small (e.g., m = 3). 

To simplify the study of such protocols, we first show 
that it suffices to analyze the action of the advantage dis- 
tillation process on two-qubit Bell-diagonal states. More 
precisely, Lemma ^ below implies that the state p n ob- 
tained by applying a block-wise operation £ (for blocks 
of size m) to a symmetric state p n (see Eq. Q)) has vir- 
tually the same statistics as if £ was applied to a state 

Lemma 1. Let p n be a state on n particle pairs of the 



form 

and let a be a two-qubit Bell-diagonal state with eigen- 
values — 2^ . Moreover, let £ be an operation which 
maps Bell states of blocks of m particle pairs to Bell states 
of one single particle pair. Finally, let 

ni,...,Tt4 

be the state describing fi = ^ particle pairs defined by 
Pn '■= £® n {p n ) and let Ai,...,A4 be the eigenvalues of 
a := £{a® m ). Then, for any £ > 0, 

V u- - - - > 1- r 9 ( fe2 ) + o(iogn) 

(ni,...,n 4 )6B e (Ai,...,A 4 ) 

where B e (\\, . . . , A4) denotes the set of all tu- 
ples (ni,...,fii) such that (^,...,2^) is e-close to 
(Ai,...,A4) and 0(ne 2 ) is asymptotically the same as 
fie 2 , up to a constant factor. 

The lemma is a direct consequence of the exponential 
quantum de Finetti Theorem [21|. It states that, for any 
n-partite quantum state p n which is invariant under per- 
mutations of the subsystems, any part p m — tr n - m (p n ) 
consisting of m subsystems is exponentially (in n — m) 
close to a convex combination of states that virtually are 
of the form er® m . For completeness, we give a direct proof 
of Lemma ^ (without referring to de Finetti's theorem) 
in Appendix lAl 

In order to analyze protocols with advantage distilla- 
tion using Lemma ^ we use the following quantum me- 
chanical description of the advantage distillation subpro- 
tocol: Alice and Bob both apply the operation X™, — 
|0)(0, . . . , 0| + |1)(1, . . . , 1| on m qubits. It is straightfor- 
ward to check that 

(^ 2 (|^)|$M» = ^^ fe |^+/>, (6) 

where the sum j + I of indices is understood to be mod- 
ulo 2. Hence, applying advantage distillation to m identi- 
cal Bell-diagonal qubit-pairs with eigenvalues A j^| leads 
to a Bell-diagonal state with eigenvalues A' given by 

K.j = i[(Ai,o + A,i) m + (-l) J (A7,o - Xi,i) m ] (7) 

where T = 2[(1 - Q) m + Q m ] and where Q = X w + An 
is the QBER before the advantage distillation. The 
QBER Q' after the advantage distillation is thus given 
by Q' = A' 10 + A' n = and (1 - Q) m + Q m 

is the probability that the advantage distillation is suc- 
cessful (i.e., Alice and Bob end up with a new raw key 
bit). If Alice and Bob apply, after the advantage dis- 
tillation the one-way classical post-processing described 
above, the lower bound on the secret-key rate is given by 
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Eq. J2J), where the eigenvalues of oab are given by the 
A's in Q) Js3- For instance for the six-state protocol one 
obtains a positive key rate for any QBER < 0.276 (for 
rn — ► oo). Note that for the six-state protocol it has 
been shown that the tolerable QBER cannot be larger 
than 0.276, if the first step in the post-processing is ad- 
vantage distillation |22| . As mentioned before, the bound 
on the secret-key rate is not only valid, for m — > oo, but 
for any value of the block size on which advantage distil- 
lation is applied. 

In [23, Chau considered the secret-key rate obtained 
when applying the above described advantage distillation 
followed by the XOR transformation, where Alice and 
Bob locally compute new raw key bits by taking the XOR 
of a block of given bits. (For the sake of completeness we 
demonstrate in Appendix iBl how the XOR protocol can 
be included in our analysis.) Both procedures were an- 
alyzed in the asymptotic limit for infinitely large block 
sizes. The result found there is that the six-state protocol 
tolerates a QBER of up to 0.276. Surprisingly, the same 
threshold for the QBER can be obtained, as shown above, 
by a simpler protocol where the XOR transformation is 
replaced by a local randomization on single bits on Alice's 
side. Moreover, the rate of this modified protocol is much 
larger than that of Chau's protocol, as local randomiza- 
tion consumes less bits than the XOR transformation. 
Note that, as shown recently by Bae and Acin 23], if one 
omits the local randomization completely, the protocol 
still tolerates a QBER of up to 0.276, but the secret-key 
rate for large values of the QBER might be smaller. 

IV. PROTOCOLS USING WEAK COHERENT 
PULSES 

A. Preliminaries 

We now consider protocols where Alice docs not send 
single photons to Bob, but uses weak coherent pulses in- 
stead. This scenario is practically motivated by the fact 
that, with current technologies, it is difficult to create 
single-photons pulses. In fact, many of today's imple- 
mentations of QKD rely on weak coherent pulses. 

We start with a description of a prepare-and-measure 
scheme and then translate it to an equivalent entangle- 
ment based scheme, for which we will prove security. 

In the prepare-and-measure scheme, Alice encodes the 
bit values into phase randomized coherent states [38| . 
More precisely, she randomly chooses a basis j 
and encodes the bit value k into the state p k = 

E„>oPn\(/>j)(<l>j\® n , where \$)($\®°, denotes the vac- 
uum for any value of j and k and p n = e~ M /i"/n!, with p, 
the mean photon number (for a Poissonian source 39]). 

The description of Bob's measurement depends on 
the experimental setup. We focus on the situation 
where Bob's detectors do not distinguish between the 
cases where they receive one or more than one pho- 
tons, since with current technology, it is difficult to 



count the number of photons. The POVM describ- 
ing the photon detector is thus given by the opera- 
tors {D\Dq, d{Di}, with D = J2n>0 ^/Pn.d.(n)P\ n) and 

D i = J2 n >o V 1 -Pn.d.(n)P\ n ), where p„.d.( n ) is tlic 
probability of not detecting any photon in case n pho- 
tons arrived at the detector. This probability is given 
by Pn.d.(n) = (1 - - T]) n , where p d is the proba- 

bility of a dark count, and 7/ is the detection efficiency, 
i. e. overall transmission factor. The POVM element 
Dq corresponds to the case where no photon is detected, 
whereas D\ corresponds to the detection of one or more 
photons. In the prepare-and-measure scheme Bob would 
randomly choose a basis j and measure the arriving pho- 
tons in that basis. 

In the following, we consider the so-called untrusted- 
device scenario, where it is assumed that Eve exchanges 
Bob's detectors with perfect ones (having perfect effi- 
ciency and no dark counts) and introduces all errors her- 
self Clearly, security under this assumption implies 
security in a situation where Eve might not be able to 
corrupt Bob's detectors. Additionally, we assume that 
Bob's detector is constructed in such a way that, when- 
ever a pulse consisting of more than one photon arrives, 
then the detector output corresponds to the measurement 
of one of the photons in the pulse chosen at random . 

In the described scenario, we can without loss of gen- 
erality assume that Eve only sends single photons to 
Bob. This follows directly from the fact that the situ- 
ation obtained by sending a multi-photon pulse is the 
same as if Eve randomly selected one photon from the 
pulse and sent this single photon to Bob. Bob's measure- 
ment can therefore simply be described by the operators 
Bj = \0)(<j)i j \ + |l)(</>^j| as defined previously. 

Alice and Bob can estimate the following parame- 
ters related to their raw key: (i) the total sifting rate 
:= Rn> f° r Rn '■= PnXn where Y n is the probabil- 
ity for Bob to find a conclusive result in case Alice sent n 
photons; (ii) the average QBER Q n — J2 n it~Qn, where 
Q n denotes the QBER for the pairs where Alice sent an 
ri-photon pulse. These two parameters will determine the 
amount of key that can be extracted from the particular 
raw key. 

We use similar techniques as in 0, to describe the 
same protocol in the entanglement-based scheme. The 
states prepared by Alice are 

\Vj)AB Rl = VP^\*j)AB\n) Rl , (8) 

where \*p AB = l/V2(\0) A \^)% n + \l) A \^)% n )- Here, 
we have introduced an auxiliary system R\ containing 
the photon number (which is neither controlled by Alice 
nor Bob). If Alice measures her qubit in the computa- 
tional basis and receives outcome k, the state Bob is left 
with in the noiseless case (without interaction of Eve) is 
p B = 2tr Rl (P (i .| W . >ABRi ) = E„>oP" P |<^)«"> which cor- 
responds to the coherent state (with randomized phase) 
sent by Alice in the prepare-and measure scheme |42j . 
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The operation on Bob's side is given by the operators 



Bj, as described above. 



The state describing the situation after Bob's opera- 
tion is given by 



Ix) 



ABER 1 R 2 



3 



R 2 



where j corresponds to the basis chosen by Alice and 
Ueb is a unitary describing the attack of Eve. Note that 
this state is not necessarily normalized, but its weight 
tr(|x) corresponds to the sifting rate. 

Restricted to Alice and Bob's systems, \x)aber 1 r 2 is 
a two-qubit state. We can thus apply the techniques pre- 
sented in Section [H] to analyze the security of the proto- 
col. More precisely, we need to evaluate the r.h.s. of (J3J) 
to get a lower bound on the secret-key rate. First we do 
not take the local randomization into account, i.e., we 
choose U — X. The case including local randomization 
will be treated in the next subsection. We thus obtain, 
for the key rate 



r > 



inf 



\R n S{X\E,n)-R^S{X\Y). (9) 



The set Tr^^q^ contains all states which can result from 
a collective attack by Eve and are compatible with the 
average sifting rate and the QBER Q p , as estimated 
by Alice and Bob. 

Because the (conditional) entropy of a classical variable 
cannot be negative, the r.h.s. of JjJJl can be lower bounded 
by restricting to any of the terms in the sum over n. Note 
that, in @, the average over n is only taken over the 
term for the entropy conditioned on Eve's system, but 
not on the term for the entropy conditioned on Bob's 
system. This is because Eve might be able to measure 
the photon number, whereas this is not the case for Bob. 



Note that, for any n > 0, the term S(U\E,n) on the 
r.h.s. of this inequality can be bounded by S(U\E, n) > 
S(U\X) — h{q) (since U is only computed from X), and 
therefore the r.h.s. of lllfl can again be lower bounded 
by restricting the sum to any of its terms. 

As we will see, the local randomization allows us to 
get better lower bounds for the secret-key rate as well as 
better lower bounds for the maximum distance for which 
the rate is positive. 



C. Examples: the BB84 and the SARG protocols 

Using the results above, in particular (J5J, we now com- 
pute the lower bound on the secret-key rate of the BB84 
as well as the SARG protocols. In Section llV El we com- 
pare the results we derive here with previous results, in 
particular with the ones presented in [24| and pEj . 

In contrast to the single-photon case, where the lower 
bound on the secret-key rate was a function of the QBER, 
we are aiming here for a lower bound that depends on 
the only two measurable quantities i? M (the total sifting 
rate) and (the total QBER). For simplicity, we will 
in the following not explicitly include the local random- 
ization, except in the final results (see Figures and [2J . 
We remind the reader that, in order to include the local 
randomization, @ simply has to be replaced by (|llfl . 

Our computation of the bound given by JjJ) is subdi- 
vided into two steps: First, for any n > and for any 
Q n , we compute S n (Q n ) := inf CTri6 r Qn S(X\E,n), where 
Tq k is the set of all states a n which can result from a 
collective attack on a n-photon pulse causing a QBER of 
Q n . In a second step, we compute the infimum 



inf_ / 



(12) 



B. Protocols with local randomization 

So far we did not consider the possibility for Alice to 
apply some local randomization on her classical bits. The 
randomization can easily be included in the analysis: if 
the randomization is acting on single bits, U «— X (bit 
flip with probability q), @ simply writes 

oo 

r> inf R n S{U\E,n) - Rf,S{U\Y). (10) 

Bob's uncertainty is now given by S(U\Y) = h{Qfy, 
where Q« = (1 - q)Q^ + q(l - Q^). Since R p = Y] n R n , 
(|10fl can also be written as 

oo 

r> inf ^2R n [S(U\E,n)-h(q)] (11) 



^ n— 



where q denotes the set of all parameters {R n , Q n } 
which are compatible with i? M and Q M . All the technical 
details can be found in Appendix [DJ 



For the BB84 protocol, it is easy to verify that for 
any pulse consisting of n > 2 photons, Eve has full 
information on Alice's measurement outcome X, i.e., 
inf CT7ie r Q „ S(X\E,n) = Vn > 2. The lower bound is 
thus given by |43| 

r> inf E!Sf B84 (Qi) - R^hiQn) (13) 

{Ri,Qi}er Rft , Qfl 



-R p [h(Ql) - h{q)] . 



where S? B84 (Qi) := l-fc(Qi) (see Appendix|D]or 0,0). 

As shown in Appendix [Dl the conditions in the 
untrusted-device scenario for R\ and Qi to be compatible 
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with R, t and Q, t are the following: 



Ri 
R1Q1 



R 



P 2 Sn>2 Pn 



(14) 



Let i?f n = R, t - i£„> 2 P 



If Rf 11 " < 0, then R 1 
can be set equal to zero, and the lower bound on r is 
negative, i.e., Alice and Bob have to abort the protocol. 
If R? in > 0, let Q5" ax = mmiR^Q^/Rf™, \). Due to the 
decreasing of Sf B84 (Qi) for Qi < 1/2, we then get 



r > Rf n (l - h(Q™ a l) - RMQm) 



(15) 



Note that this bound has first been derived in [23 using 
a different technique. This bound can be interpreted as 
follows: For an optimal attack, Eve should make i?i as 
small as possible (i.e., block as many single-photon pulses 
as possible) and, at the same time, make Q\ as large as 
possible (i.e., introduce as many errors as possible on the 
single-photon pulses that she forwards, which reduces her 
uncertainty on Alice's system as much as possible). 

To get an idea of how good this bound is, we evaluate 
the rate for the situation where there is no Eve present, 
instead, the errors are introduced due to a realistic chan- 
nel. The channel we consider is a lossy depolarizing chan- 
nel with visibility V (or fidelity F = ^-t^- and disturbance 

D = ^r-), and a transmission factor t = lCP^ at dis- 
tance I (u is the attenuation coefficient). Furthermore, 
we consider the situation where Bob's detectors have an 
efficiency r\det and a probability of dark counts pd- An 
explicit calculation (see Appendix [Dj) shows that under 
these assumptions, the rates that Alice and Bob would 
get are 



Rfj, 

RuQl 



■l-jtfe-"»] 



where r\ = trjdet, Pd = 1 — Pd- When we insert these 
values in (|15fl for experimentally reasonable values of a, 
Pd and ijdet, and optimize for different distances over the 
mean photon number p, (which Alice is free to choose), 
we get the results illustrated in Fig. ^ (for V — 1) and 
Fig. (for V = 0.95). We find that the optimal fi is 
proportional to the transmission factor f, and our bound 
on the secret-key rate is proportional to t 2 (at least for 
short distances, i.e., in the regime where dark counts are 
not dominant); this was already observed in [2^.l2^ |. 



2. SARG 

A major difference between the SARG protocol and the 
BB84 protocols is that Eve cannot get full information 
on Alice's value even if the pulse contains two photons. 




20 30 
distance [km] 



FIG. 1: Lower bound on the secret-key rate per pulse and 
optimal n for Poissonian sources as a function of the distance, 
for the BB84 and SARG protocols, when Alice and Bob share 
a quantum channel with perfect visibility V = 1. The other 
experimental parameters are a = 0.25 dB/km, r/det = 0.1 and 
Pd = 10 -5 . The thick lines are the results we obtain when 
Alice performs an optimal bit-wise local randomization; the 
thin lines are the same, without randomization (q — 0). 
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distance [km] 



FIG. 2: Same plot as in Fig. 0(top), but for a quantum 
channel with non-perfect visibility, V = 0.95. 
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In order to take this into account, we include the contri- 
bution of the two-photon components in our formula for 
the secret-key rate, i.e. we compute Q: 



r> in£ {Rl , QltRa , Qa} RiSf A ^ G (Q 1 ) + R 2 Sl ARG (Q 2 

-RMQk)- 



'(16) 



In Appendix ID1 we describe how to compute Sf ARG (Q\) 
and S , f ARG ((92) (see also Appendix C and H3), and we 
derive the following conditions for R\, Qi, R 2 and Q 2 to 
be compatible with i? u and Q u : 



i?i(l-Qi) 



Ri(l 
i? 2 (l 
i? 2 (l 



Qi) 
Q2) 
Q2) 



JP2 



R„{1 - Q») 

~4 ^2n>3Pn 



(17) 



R1Q1 + R2Q2 < Rp,Qf> 



If i?n(l - Qfj,) - \ J2n>3Pn > 0' ° ne Can See m CHI) 

that Eve's optimal choice is to set i?i and R 2 as small as 
possible, and Q\ and Q 2 as large as possible (Sf ARG {Qi) 
and Si ARG (Q 2 ) are decreasing): she should therefore set 
the equality in the third constraint. 

However, contrary to BB84, we have not been able 
to give a simpler analytical expression for the infimum 
in Ijl6(l : we therefore resort to numerical computations. 

Again, in order to estimate the previous bound in a 
practical implementation of the protocol, we compute the 
typical values of the parameters i? M and Q M when Alice 
and Bob use a Poisson source and a lossy depolarizing 
channel (see Appendix loll: 



R/j, — 



"1 - p 2 e-w + f e^ F " 
'l - v 2 



Similarly to the BB84 protocol, inserting these values 
in Eq. Ijltif) . and optimizing for different distances over the 
mean photon number /i, provides the results illustrated 
111 Figures □ and 

For V = 1, we find an optimal \i proportional to t 1 / 2 , 
and therefore our bound on the secret-key rate scales like 
t 3 / 2 (see also [3l|), which is more efficient than for BB84 
(where we had r tx t 2 ). For V — 0.95 however, we find 
that the SARG protocol is less efficient than the BB84, 
and our lower bound for the secret-key rate of SARG also 
scales like t 2 , the same as for BB84. However, it should 
be noted that we determine here only lower bounds on 
the rates. 



D. Decoy states 

The relevant set Tr o in @ over which the infimum 
has to be taken to obtain the lower bound on the secret- 
key rate is quite big, since Alice and Bob can only es- 
timate the total sifting and total error rate. They do 
neither have a good estimation of the error rates, Q n nor 
of the corresponding yields, Y n . Hwang and Lo et. al. 



pointed out a method to improve the lower bound on the 
secret-key rate by making some additional measurements 
(IH HI see also H3)- The idea of the so-called decoy 
states is to change the intensity of the pulses sent by Al- 
ice in order to be able to estimate more quantities. This 
allows them to deduce more information about the pos- 
sible attack of an eavesdropper (like the estimate of the 
QBER does). For practical purpose one assumes that Al- 
ice is always sending weak coherent pulses, varying only 
the mean photon number. We will show here how this 
particular idea can be included in our analysis. 

Let us first of all consider the case where Alice uses 
two different intensities, i.e., one with mean photon num- 
ber ^0 (we call it signal pulse in the following) and the 
other (decoy pulse) with mean photon number fx^. Us- 
ing more decoy states is a straightforward generaliza- 
tion of this case. We describe the states sent by Alice 
by \iP)abr 1 r 2 = IV's) ABRt\0)R 2 + \iPc)abr 1 \1)r 2 , where 
\'4>s)abr 1 (|^c) ABRi) denotes the (unnormalized) signal 
(decoy) pulse (see Eq. ©). System R 2 is again some 
auxiliary system, introduced to keep track of the sig- 
nal and decoy pulses. In this case this system is in Al- 
ice's hands, as she chooses the intensity of the signals. 
Since Alice is going to measure the auxiliary system R 2 
in the computational basis, we can consider the state 
a = p s a s (g> P\ 0)R2 +(l-p s )a c (g>P\ 1 ) R2 , where a s (er c ) are 
Alice and Bob's signal (decoy) systems after Eve's inter- 
vention, respectively. Bob's measurement is described in 
the same way as before. Again, Alice and Bob can only 
measure the total sifting rate R^ — J2 n = En Pr^Xn 
and estimate the total error rate Qu = Y]„ R n Qn/ Rfi = 
^2 n p n Y n Q n / Rfj,. However, now they are in the position 
to obtain more information about their qubit pairs, as 
they are capable of measuring these quantities for dif- 
ferent values of \i (recall p n = e~ M /i™/n!), i.e. they 
can measure the values i? uo , Qu an d R^i 1 Q^i ■ We can 
again use © to compute a lower bound on the secret- 
key rate. In this case, the infimum is taken over the set 
^{R -,Q •}» °f au Bell-diagonal two-qubit states of the 
form p s a s +p c o~ c , with a s (er c ) denoting the Bell-diagonal 
states corresponding to the signal (decoy) bits, which are 
compatible with all estimated total sifting rates and 
total error rates Q tli . 

Let us now consider the case where Alice uses many 
different intensities for her decoy states. Due to the defi- 
nition of R^ it is clear that, by varying /x, one can obtain 
information about the quantities Y n . Knowing Y n and 
{Qii} one can then determine Q n . Note that in order 
to determine Y n and Q n one needs infinitely many decoy 
intensities; however, already a small number of such de- 
coy intensities suffices to restrict the values of Y n and Q n 
(see for instance H3)- The results of the analysis above 
are illustrated in Fig. [3] and 0] In order to evaluate the 
lower bounds we consider the situation where Alice and 
Bob share a lossy depolarizing channel with visibilities 
V = 1, V = 0.95 respectively. 
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distance [km] 

FIG. 3: Lower bound on the secret-key rate per pulse and op- 
timal fi for Poissonian sources as a function of the distance, 
for the BB84 and SARG protocols using decoy states, when 
Alice and Bob share a quantum channel with perfect visibil- 
ity V = 1. The other parameters are the same as in Fig. 
The thick lines are the results we obtain when Alice performs 
an optimal bit-wise local randomization; the thin lines corre- 
spond to the protocol without randomization (q — 0). 




120 



distance [km] 

FIG. 4: Same plots as in Fig. but for a quantum channel 
with non-perfect visibility, V = 0.95. 



of Si G (Qi) (see Appendix C), and with the local ran- 
domization process. Nevertheless, our conclusion is the 
same as in |25j , namely that when decoy states are used, 
the SARG is outperformed by the BB84 protocol. 



E. Related work 

In [2^, a similar comparison between the BB84 and 
SARG protocols has been done, and lower bounds on the 
secret-key rates were computed. For BB84, our results 
are very similar to those of ( see a ls° uM ), but we 
could slightly increase the rates and the limiting; distances 
with using the local randomization process |45|. 

For the SARG protocol, taking into account the two- 
photon contribution in the lower bound allows to increase 
the lower bound. In the case of SARG without decoy 
states, we could thus improve significantly the bound of 
plj . Our conclusion is therefore different: we find that 
the SARG protocol performs better than BB84 for high 
visibility V ~ 1 (see Fig. However, the SARG is more 
sensitive to the loss of the channel, and for V = 0.95 for 
instance, BB84 is more efficient (Fig. 

In the case of SARG with decoy states, the two-photon 
contribution had already been taken into account in |25| , 
and we again get similar results. However, we could 
slightly improve the rate with the improved calculation 



V. FURTHER APPLICATIONS, AND OPEN 
PROBLEMS 

There are still several possibilities to improve the lower 
bounds on the secret-key rate of QKD protocols. One 
way to look at this problem is to analyze the properties 
of the set T over which one has to optimize in order to 
obtain the lower bound (see e.g. Eq. J3J). Concerning 
the single photon QKD protocols, one might try to find 
the conditions on the encoding (and decoding) operations 
which would lead to a properly restricted set Tq, such 
that a high QBER can be tolerated. 

In a protocol based on weak coherent pulses, it might 
be advantageous to take the detected double clicks into 
account. As mentioned above, this would (most likely) 
impose further restrictions on the set of possible attacks 
and thus result in an improvement of the secret-key rate. 
In addition, it would be interesting to generalize the ideas 
developed in this article to a scenario, where not only the 
intensity of light is used but where also the coherence of 
the light is checked (similar to the decoy states). One 
protocol taking this into account has for instance been 
proposed in [3]. Another possibility is to consider pro- 
tocols based on weak coherent pulses that use two-way 
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post-processing, as studied by Lo 30]. We also note here 
that the techniques presented here can also be applied to 
protocols based on squeezed states. 

In this work, we considered the so-called untrusted- 
device scenario, where the adversary might arbitrarily 
modify the efficiency of Bob's detector. If one consid- 
ers the reasonable situation, where Eve cannot influence 
Bob's device, one might obtain larger values for the key 
rate. 



Combining this with l|A2(l . we conclude 

V u <n2- e{fl£2) 

/ j pni ,ri2 ,n 3 ,714 — 

(fii,...,n 4 )gB< ! (Ai,...,A 4 ) 



□ 



APPENDIX B: ADVANTAGE DISTILLATION 
USING THE XOR PROCESS 
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APPENDIX A: PROOF OF LEMMA [T] 

In this appendix we prove the Lemma presented in 
Section III. The operator <j® n is symmetric and can thus 

be written as a® n = E„' 1 ,...,„^n' 1 ,«^n^n^s(^$" 1 ) <8 

P |*oi) ® P \^m) ® P |*"V' for a PP r °P riate coefficients 
Mni.niX.^i- Hence ' witn the definition p := /i ni ,„ 2; „ 3 , n4 , 
we have 

U® n = PPn + (1 - p)p n 

where p n is a symmetric quantum state on n subsystems. 
Moreover, it is easy to see that the coefficient p cannot 
be smaller than —. 

n 

By linearity, we get the following expression for the 
state after the operation £® n has been applied to a® n : 

-m = S ®fl( a ®nj = p £®n( pn ) + (1 _ p)E® n {p n ) . (Al) 

Because a®" is symmetric, it can be written as <7® n — 

l^n u ...,n A fei,ri2,fi3,S4' s ^|*oo> 59 |*oi) 59 |*io) 59 1*11)''' 
for some coefficients P-'m n 2 fi 3 Hi- Furthermore, by 
the law of large numbers, the sum of the coefficients 
P jl n 1 ,n 2 ,n 3 ,n 4 f° r tuples 77i,fi2,fi3,n4 which are not con- 
tained in B e (Xi, . . . , A4) is exponentially small, i.e., 

E /4,n.,«..iu < 2 " e( " 2) ■ (A2) 

(ni,...,n4)^B s (Ai,...,A 4 ) 

Finally, because of IjAljl . 

-1 ^ - 

h i ni,n-2,fL3,n4 — V ' f J -n 1 ,n 2 ,n 3 ,n i ; 

where p ni ,n 2 ,n 3 ,n 4 are the coefficients of p n . Since p > — , 



In this appendix we explain how the XOR process ap- 
plied to many qubit pairs can be easily included within 
this formalism. Alice selects randomly a set of bits and 
informs Bob about this set. Then, Alice and Bob com- 
pute both the XOR of those bits and keep only the result, 
discarding all the others. Our goal is to find a simple de- 
scription of the remaining logical bits, Eve's system, and 
the classical information sent form Alice to Bob (note 
that Eve knows the randomly chosen set which is used 
by Alice and Bob). We demonstrate here how this can 
be achieved with the example of three qubit pairs. The 
idea can be easily generalized to any number of pairs. 

Quantum mechanically the XOR operation can 
be described by a controlled-not operation, denoted 
by Uc. Three copies of the state \^}abe — 
Si j V abI^ij) e transform, under the transfor- 
mation Uc A ~* x Uc\~* x ® Ue^ x Uc 2 £* x to the state 



(Bl) 

\®k,l+j) A 2 B 2 \^m,n+j) A 3 B 3 \ Xi,j,k,l,m,n) E 1 

where \xi,j,k,i, m .n) e = \®i,j)\®k,l)\® m ,n)- Since Alice 
and Bob are not going to use the systems 2 and 3 
anymore, we want to consider a state that describes 
only Alice's and Bob's first systems. More importantly, 
we want to give Eve a purification of this state. If we 
would assume that Eve has a purification of the state 
describing systems A\ and B\, this would be equivalent 
to assume that Eve has Alice' and Bob's second and 
third pair after this transformation. It is evident that we 
assume then that she has more power than she actually 
has. In order to avoid to give her too much power we 
use the idea mentioned in Section III Dl (see also 
by considering the systems A2 , B2 , A3 , B3 as auxiliary 
system R [4^ |. For the unitary transformations, Uk,i, m ,n 
we choose Uij^,i,m,n — o~t x f° r ^ + 3 = n + 3 ' = 1 an d 
the identity otherwise. It can be easily verified that the 
state describing Alice's and Bob's first system is then 
the partial trace over E 7 R of the state \^)a 1 b 1 re = 

^2iJ,k,l,m,n y/ ^ij ^kl^mn\'&i+k+m,j+8i + j tl &„ + j il ) AxBx 

\4>j,k,i,m,n)R\Xt,j,k,i,m,n)E, where \4>j,k,l,m,n) R denotes 
the state \ $k,i+ j) A 2 B 2 \®m,n+.i) a 3 b 3 - As explained 
in Section III Dl providing Eve with a purification 
of the state that describe the systems Ax , Bi never 
underestimates her power. The eigenvalues of the 
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two-qubit Bell-diagonal state describing Alice's and 
Bob's remaining systems, denoted by A,j are 

K,j — Xf t i A,. , + 3Aj J+ i) + 3X^ +1 j(Xij + Aij-|-i(B2) 
+ 6AijA.;+ijAi + i J+ i. 

The intuition for this choice of unitary transformations 
is the following. The state \^)abe under consideration 
is supposed to lead to a secret-bit. Thus, the coefficients 
\i j are such that it is very likely that if both, I + j = 1 
and n + j = 1 then j = 1, which means that within 
the remaining qubit-pair there is a phase- flip error. The 
unitaries are chosen such that this error is corrected. 

Using the new eigenvalues of the state describing Alice' 
and Bob's remaining bits, it is straightforward to com- 
pute the lower bound on the secret-key rate (Eq. J3j ) • 

APPENDIX C: AN IMPROVED ANALYSIS OF 
THE SARG PROTOCOL WITH SINGLE 
PHOTONS 



is, in contrast to former considerations, no longer Bell- 
diagonal. In the following we consider the situation where 
Bob accepts only if the probability for him to obtain the 
bit values is the same as detecting 1. This is a first step 
in the parameter estimation. Note that this condition 
imposes Aoi = Aio- The QBER, Q, can be easily deter- 
mined and one finds Q = (Aoi + An)/(l/2 + Aoi + An). 
Using the normalization condition we find that the co- 
efficients in the state \<&)abe are given by: Aoo = 1 — 
Q/(l - Q) + A n , Aoi = Q/(2(l - Q)) - X n ,X w = X 0l . 
Thus, for a fixed QBER there is only one parameter, 
An € [0, Q/(2(l — Q))], over which one needs to min- 
imize to obtain the lower bound on the secret-key rate 
given in formula Eq. Q. Without the local randomiza- 
tion one finds that the lower bound on the secret-key 
rate is positive as long as Q < 0.1167. Including the lo- 
cal randomization allows to increase the tolerable QBER 
to 0.1308 compared to the previously known bounds of 
0.0968 without and 0.1095 with local randomization, re- 
spectively |l3j . 



In the SARG protocol the bit value (1) is encoded 
in the z-basis (x-basis) respectively. During the sifting 
phase Alice announces a set containing two states, the 
one which she sent and one in the other basis. There 
are 4 different encoding and decoding operators. For in- 
stance A 1 = |0)<0 Z | + |1)(0 X | and B 1 = |0)<l x | + |1)<1,| 
describe the situation where Alice sends on of the two 
states {|0 Z ), |0 X )} and tells Bob that the sent state is 
within this set. Let us for the moment consider a sin- 
gle qubit sent by Alice (for more details see 13]). The 
state shared by Alice, Bob, and Eve after the sifting is 
given by \x)aber 1 = T,j A j ® Bj\^) ABE \j) Rl , where 
\^)abe is the state shared by Alice, Bob, and Eve af- 
ter Eves intervention. Now, we apply some symmetriza- 
tion to the state, which does not change any security 
consideration, as explained in Section II. Let us con- 
sider the state \x)aberiR 2 = \x) ABERi\ty r 2 + of ® 
(J f\x)ABERi |1)-R 2 - It is straightforward to show that the 
reduced state describing Alice' and Bob's system is equal 
to ■D 2 V 1 [V 2 {p )l with Po = tr B (P«). Here, V 2 (p) = 
l/2(p + a z ®a zP a z ®a z ), Vt(p) =Y, j A j ®B j pA]®B] 
is given by the protocol and T> 2 denotes the depolariz- 
ing map, i.e. V 2 {p) = l/4(/0 + a x ® a x pa x (g) a x + a y <g> 
OypGy (£> Oy + a z (£> a z po z ® a ' z ) . Furthermore, the action 
of T>i on a Bell-diagonal state is the same as A\ ® B\ 
on that state. Thus, we only need to consider the situa- 
tion where Eve has a purification of the state T> 2 (po), 
i.e. the state before the action of T>% and T> 2 . Us- 
ing the results of 0, Q this implies that the state we 
have to use in order to compute the lower bound on the 
secret-key rate is p A BE = ^2 1B (- p a 1 <»b 1 |*) AB e), where 

\<f>)ABE = \Aoo|*Oo) AS|*00) E + V%1 |$0l) AB | $01 >B + 

V^|$io)as|$io)e + \Aii|$ii)ab|$ii)e, i.e a purifica- 
tion of the Bell-diagonal state T> 2 (p ). 

Using this description it is straightforward to com- 
pute the state describing Alice' and Bob's system, which 



APPENDIX D: CALCULATIONS RELATED TO 
THE ANALYSIS OF PROTOCOLS BASED ON 
COHERENT PULSES 

This appendix contains some calculations related to 
the evaluation of the lower bound © on the secret-key 
rate for the BB84 and SARG protocols with weak coher- 
ent pulses (see Section ITVTl . 

For this purpose, we first compute the infimum 
S n (Qn) ■= inf CTii£ r Q „ S(X\E,n) for any given Q n , and 
then optimize (from Eve's point of view) over the pa- 
rameters R n , Q n . These parameters must be compatible 
with the measurable quantities R^,Qp,'. in the case of 
protocols which do not use decoy states, this leads to 
particular constraints for each protocol, which we derive 
here. (Note that for protocols with decoy states, Alice 
and Bob can estimate all rates R n , Q n : Eve can no longer 
optimize over these parameters.) 

Recall that we work in the untrusted device scenario, 
where Eve has full control over Bob's detectors. Dark 
counts do not occur, and therefore i?o = 0, as Eve should 
obviously not send any photon to Bob when she receives 
an empty pulse from Alice. Moreover, we consider pro- 
tocols where Bob treats all double clicks as if only one 
randomly chosen detector clicked. 

In a second step, in order to give estimations of our 
bounds, we compute the typical values of the yields and 
error rates if no adversary is present, i.e., if the channel 
between Alice and Bob is a depolarizing channel with 
fidelity F (or disturbance D = 1 — F) and with a trans- 
mission factor t. In addition, we suppose in that case that 
Bob's detectors have an efficiency rjdet and a probability 
of dark counts pd- We will use the notations i] = trjdet 
for the overall transmission factor and pd = 1 — Pd- 
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1. BB84 protocol 

a. Eve's uncertainty on the one-photon pulses 

For BB84, the set Tq 1 contains all states with diagonal 
entries (in the Bell basis) Aoo = 1 — 2Qi + An and Aoi = 
Aio =Qi- An, for any An G [0,Qi] 0,0- 

One can easily prove that S(X\E, n = 1) takes its min- 
imum when Ai,i = Q\ . Then, a straightforward calcu- 
lation shows that S"f B84 (Qi) = inf CTier<3i S(X\E,n = 
1) = 1 - h{Qi). Note that Sf B84 (Qi) is decreasing for 
< Qi < 1/2: as expected, the higher the error Eve 
introduces, the more she reduces her uncertainty. 



b. Constraints on the yields and error rates 

In the BB84 protocol, the probability that Alice and 
Bob choose the same basis for their preparation and mea- 
surement respectively is 1/2 (this is the sifting factor). 
Therefore we have Y n < | for all n, which implies the 
following bounds: 



Ri = P\Y\ < -pi 



(Dl) 
(D2) 



n>2 



These are the first two constraints announced in (|14|l . 
The third constraint follows from the definition of 

R[iQfi — A^n RriQn- 



When Alice uses a Poissonian source (i.e. p n = 
the overall yield and error rate are then 



R„ 



1 



l+p d e-» Fr > - p d e-^ - pi e-w] 



2. SARG protocol 



a. Eve's uncertainty on the one-photon pulses 

In order to compute Eve's uncertainty on the one- 
photon pulses, we use the method presented in Ap- 
pendix C. We don't have an analytical expression for 
gSARG^Q^ _ inf CTierQi S(X\E,n = 1), but we com- 
pute it numerically. Note that we find Sf ARG (Qi) is 
decreasing only for < Q\ < 0.338, and does not reach 
zero. 



b. Eve's uncertainty on the two-photon pulses 

We follow the calculations of (2^ to compute Eve's un- 
certainty on the two-photon pulses. The set Tq 2 contains 
all states with the following diagonal entries (in the Bell 
basis) 



Aoo = 1 — Q2 — Aoi 

Aio = Q2 — An 

Aoi + An < xQ 2 + g(x),Vx 



(D3) 



where g(x) = |(3 - 2x + ~ G\^x + Ax 2 ) j^. When 
minimizing xQi + g(x) over x, we get 



c. Yields and error rates for depolarizing channels 



When implementing the BB84 protocol, Alice and Bob 
would estimate the quantities Q^, i? M and then compute 
the rate as explained above. In order to get an idea how 
good the obtained bounds on the rate are we evaluate 
here these quantities for the situation where there is no 
Eve present and Alice and Bob share a lossy depolarizing 
channel. 

In BB84, when Alice sends n photons, the probability 
that Bob chooses the same basis as Alice and gets a single 
or a double click is : 

Yn = h[ 1 ~PdO--V) n ] 

Bob gets a wrong bit if only the wrong detector clicks, 
or if the two detectors click, but he randomly chooses a 
wrong bit. This happens with probability : 



Aoo — 1 — Q2 — Aoi 
Aio = Q2 — An 
Aoi + An < B(Q 2 ) 



(D4) 



B(Q 2 



■3Q 2 ). 
< i and 



where B{Q 2 ) = \ + \^Q 2 {1 - 

One can show that for Q 2 < |, 
the optimal choice of the parameters Ay for Eve is 
Aoi + An = B(Q 2 ) (i.e. Eve should make the phase 
error as high as possible, up to 4), and An = Q 2 B(Q 2 ). 
Then, a straightforward calculation gives S2 ARG {Q 2 ) = 
ini a2e r Q2 S(X\E,n = 2) = 1 - h{B{Q 2 )). Note 
that Si ARG (Q 2 ) is decreasing for < Q 2 < ±, and 

si ARG (^) = o. 



c. Constraints on the yields and error rates 



YuQn = 2 ELo C*F k D n 



|[1 



-k 



In the case of SARG, because of the non orthogonality 
\p d {\ — rf) k ][\ — pd(l — ?7)™ -fe pf the quantum states that are used to encode the clas- 
. 1 sical bit values, it is a little bit more tricky to find the 

+ — ~ v) ][1 — PdO- ~ V) ] constraints that the yields and error rates must satisfy. 
pd(l — Fr~i) n — pd(l — Drf) n — p d 2 (l — r\) n \ Here, we will derive a constraint on the yields without 
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errors (or probability that Bob gets a right conclusive 
result), i.e., on p right = Y n (l - Q n ) (for any n e N). 

To this aim, let's suppose in a first step that Alice sends 
photons in the state \ + z), that Eve attacks the pulse and 
decides either to forward one photon to Bob in the state 
Pb, or to block the pulse. In this case, Bob gets a right 
conclusive result if (i) Alice announces the set {| + z) , \ + 
x)} (which she does with probability 1/2), Bob chooses 
to measure a x (probability 1/2) and (only) the detector 
corresponding to | — x) clicks ; or (ii) Alice announces 
the set {| + z), \ — x)}, Bob chooses to measure a x , and 
the detector corresponding to | + x) clicks. Therefore, 
Bob's probability to get a right conclusive result when 
Alice sends | + z) is bounded by: 



Pright|+2 



< \{-x\p B \ 

< \ Tr( PB ) 



-(+x\p B \+x) (D5) 



(D6) 



This result actually does not depend on the state sent 
by Alice, and we therefore have 



is no Eve present and Alice and Bob share a lossy depo- 
larizing channel, in order to get an idea of how good the 
obtained bounds on the rate are. 

In order to calculate the yields and error rates for the 
SARG protocol, let's suppose that Alice sends n photons 
in the state | + z), and announces {| + z), \ + x)}. By 
symmetry, the following still holds for any state sent by 
Alice, and any announcement. Similar calculations can 
be found in |13| . 

If Bob measures a z , he gets a (wrong) conclusive click 
on the detector corresponding to | — z) , or a double click 
with probabilities: 



P\-z)\* = Yl^lF k D n - k [p d {l-il) k ][l-pd{l-r,T 
= p d (l-Fr 1 r-p d 2 (l-T 1 ) n 

1 - p d {l - Fjf) n - p d {l - Dr,) n + p d 2 {l - rj) 



P2clicks\z 



Similarly, if Bob now measures a x , he gets a (right) 
conclusive click on the detector corresponding to | — x) , 
or a double click with probabilities: 



Pright = Y n (l - Q n ) < 



1 



(D7) 



The first three constraints announced in l|17|) then fol- 
low : 



R1Q.-Q1) < jPi 



(D8) 
(D9) 

Ri(l - Qi) + R 2 (l - Q2) > R^l-QJ-fpiQ) 

-ij> (Dii) 

n>3 

As before, the last constraint follows from the defini- 
tion of <5 M . 



d. Yields and error rates for depolarizing channels 

As for the BB84-protocol, we evaluate here the lower 
bound on the secret key rate for the situation where there 



P\-x)\x 
P2clicks\x 



w(i - 1)" 

1 - 2p d (l - 



-P d 2 (i-vT 



v y 



Since Bob randomly chooses the basis he measures, 
with equal probabilities, and since he randomly chooses 
one outcome in the case of double clicks (conclusive or 
not), then the probability that Bob's result is conclu- 
sive when Alice sends n photons is Y n — h(p\—z)\z + 
\P2ciicks\z) + \ {P\-x)\x + \P2ciicks\x) , and the error rate 



on these pulses is Y n Q n 
find: 



P\-z)\x + ^P2clicks\z) 



We 



Pd(l- 



Fn) n - 24(1 - DtjY 1 - p d 2 (l - rj) 
F^-Pdil-Drjr-p/il-r,)" 



For a Poissonian source, the overall yield and error rate 
are then 



RlQ» = l[l+p d e-» F *i- 



- p d e-^ - p d 2 e-w] . 
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